IT Services Agreement (Hong Kong)

An IT Services Agreement in Hong Kong fixes the respective duties and entitlements of the parties to the arrangement.

The Supply of Services (Implied Terms) Ordinance (Cap. 457) is the principal statute governing IT service engagements in Hong Kong. Section 5 of Cap. 457 implies a term that, where the supplier is acting in the course of a business, the supplier will carry out the service with reasonable care and skill — the standard of a reasonably competent IT professional. Section 6 implies a term that where no time for performance is fixed, services will be carried out within a reasonable time. Section 7 implies a term that where no consideration is fixed, a reasonable charge is payable. These implied terms cannot be excluded by contract if such exclusion would be unreasonable under the Control of Exemption Clauses Ordinance (Cap. 71). A well-drafted IT Services Agreement expressly addresses standard of care, response times, and pricing, removing reliance on the statutory implied terms.

The Personal Data (Privacy) Ordinance (Cap. 486) applies directly to Hong Kong IT services engagements because IT service providers routinely access customer systems containing personal data. Data Protection Principle 4 (DPP 4) requires the customer (as data user) to take all practicable steps to confirm personal data is protected against unauthorised or accidental access, processing, erasure, loss, or use — including by controlling what its IT provider does with personal data. DPP 3 restricts use of personal data to the purpose for which it was collected. The Privacy Commissioner for Personal Data has published guidance on outsourcing arrangements recommending that data processing obligations be set out in a written contract.

The Copyright Ordinance (Cap. 528) governs ownership of software, scripts, configurations, and documentation created during the engagement. Section 11(1) of Cap. 528 provides that copyright in works created by an independent contractor vests in the contractor, not the customer — unless the contract contains a written assignment complying with section 22 of Cap. 528 (in writing, signed by the assignor). Without an express assignment, the customer has only an implied licence to use the deliverables for the purpose for which they were created.

Hong Kong imposes no GST or VAT. All service fees, retainers, and other charges under the IT Services Agreement must be expressed in Hong Kong Dollars (HKD). For regulated industries — banking (regulated by the Hong Kong Monetary Authority, HKMA), securities (regulated by the Securities and Futures Commission, SFC), and insurance (regulated by the Insurance Authority, IA) — additional outsourcing requirements apply, including risk assessment, notification obligations, and audit rights.

IT Services Agreement (Hong Kong) Services Agreements in Hong Kong increasingly address artificial intelligence and automation tools used by the service provider in delivering managed IT services. Where the IT provider uses AI-powered monitoring tools, automated patch management systems, or machine learning-based threat detection, the agreement should address data handling by those AI systems, audit rights over automated decisions, and liability for errors or failures caused by AI tools. The Privacy Commissioner for Personal Data has issued guidance on the use of AI in data processing that applies to IT service providers operating in Hong Kong.

An IT Services Agreement in Hong Kong is needed whenever a business engages an external IT provider for ongoing or project-based technology services, replacing informal arrangements that leave both parties exposed to legal uncertainty.

A company outsourcing its entire IT infrastructure to a managed services provider (MSP) — covering helpdesk, network monitoring, server management, backup, and disaster recovery — requires a detailed IT Services Agreement defining the service scope, service level agreements (SLAs), escalation procedures, and the MSP’s obligations under the Personal Data (Privacy) Ordinance (Cap. 486) in respect of any personal data accessible on the customer’s systems.

A business engaging a cybersecurity firm for penetration testing, vulnerability assessments, security operations centre (SOC) monitoring, or incident response services requires an IT Services Agreement that clearly defines authorised testing scope, data handling restrictions, confidentiality obligations, and liability allocation. Penetration testing without a written authorisation scope creates legal risk under Hong Kong’s Computer Crimes Ordinance (Cap. 200), which criminalises unauthorised access to computer systems.

A company commissioning bespoke software development, system integration, or IT consulting from an external provider requires the agreement to address IP ownership — specifically whether copyright in deliverables is assigned to the customer under a provision complying with section 22 of the Copyright Ordinance (Cap. 528), or whether the provider retains copyright and grants a licence.

A financial institution regulated by the HKMA, SFC, or Insurance Authority that outsources material IT functions must comply with the relevant regulator’s outsourcing guidelines. The HKMA’s Supervisory Policy Manual module SA-2 (Outsourcing) requires authorised institutions to conduct risk assessments of IT outsourcing arrangements, notify the HKMA before outsourcing material functions, and include specific provisions in outsourcing contracts covering audit rights, business continuity, and sub-outsourcing restrictions. A well-structured IT Services Agreement addresses these regulatory requirements.

A company migrating workloads to cloud infrastructure — whether to public cloud providers operating data centres in Hong Kong or internationally — requires an agreement addressing data residency, data sovereignty, compliance with the PDPO (Cap. 486), and the provider’s obligations on termination including data portability and secure deletion.

A startup or SME engaging part-time IT support on a retainer basis should use an IT Services Agreement to document the scope of services, fees in HKD, and the provider’s obligations — avoiding disputes about what is included and confirming the provider’s obligations under Cap. 457 and Cap. 486 are clearly defined.

Any IT engagement involving access to personal data — virtually all IT services — requires data processing provisions in the agreement consistent with DPP 4 of the PDPO (Cap. 486) and the Privacy Commissioner’s outsourcing guidance.

A professionally drafted IT Services Agreement for Hong Kong must include the following key elements to satisfy statutory requirements under the Supply of Services (Implied Terms) Ordinance (Cap. 457), the Personal Data (Privacy) Ordinance (Cap. 486), and the Copyright Ordinance (Cap. 528).

Service scope: a detailed description of the IT services to be provided, distinguishing between services included in the base fee and those charged separately. The scope must address hardware, software, network, cloud, security, and helpdesk components as applicable. A clear service boundary prevents disputes about whether particular activities fall within or outside the agreed services.

Service level agreements (SLAs): measurable performance standards covering system availability (expressed as a percentage uptime per month, e.g. 99.5%), incident response times tiered by severity (Critical/High/Medium/Low), resolution time targets, planned maintenance windows, and change management procedures. SLAs give contractual specificity to the standard of reasonable care and skill implied by section 5 of the Supply of Services (Implied Terms) Ordinance (Cap. 457). Service credits — typically 5-15% of the monthly fee per missed SLA metric — are the standard remedy for SLA breaches.

Fees and payment: service fees expressed in HKD (no GST or VAT); fee structure (monthly retainer, time-and-materials at specified HKD hourly rates, or per-incident pricing); invoicing schedule; payment terms; and provisions for fee adjustments at renewal. Hong Kong has no statutory late payment interest regime — the agreement should specify an interest rate for overdue amounts.

Data protection: provisions complying with the Personal Data (Privacy) Ordinance (Cap. 486). The provider must process personal data only for the purpose of providing the agreed IT services (DPP 3); implement technical and organisational security measures appropriate to the nature of the data (DPP 4); notify the customer promptly of any actual or suspected data breach; restrict access to personal data to provider personnel who need it; prohibit use of customer data for the provider’s own purposes; and on termination, return or securely delete all personal data and provide written certification.

IP ownership: express provisions addressing who owns copyright in bespoke deliverables — software, scripts, configurations, and documentation — created during the engagement. Customer ownership requires a written assignment complying with section 22 of the Copyright Ordinance (Cap. 528). The provider’s pre-existing tools, libraries, and frameworks are typically retained by the provider with a licence granted to the customer. Open-source component licences (MIT, Apache, GPL) must be identified.

Confidentiality: mutual obligations protecting each party’s confidential information and trade secrets, with carve-outs for information that is publicly available, independently developed, or required to be disclosed by law or regulation.

Liability: limitation of liability provisions enforceable under the Control of Exemption Clauses Ordinance (Cap. 71); exclusions of indirect and consequential loss; and a liability cap (typically 12 months’ fees). The agreement should note that liability for death or personal injury caused by negligence cannot be excluded under Cap. 71.

Termination and transition: grounds for termination (breach, insolvency, convenience); notice periods; and transition assistance obligations requiring the provider to continue services during a handover period and transfer data, documentation, and third-party contracts to the customer or a replacement provider. forms-legal.com provides a free IT Services Agreement template for Hong Kong covering all of the above elements.

Business Continuity and Disaster Recovery: The IT Services Agreement in Hong Kong should address business continuity and disaster recovery obligations. Regulated financial institutions under HKMA supervision must maintain and test business continuity plans under the Supervisory Policy Manual module OR-1. IT service providers supporting HKMA-regulated banks must commit to defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) in the IT Services Agreement, and must conduct annual business continuity tests with results shared with the client. The Computer Crimes Ordinance (Cap. 200) also imposes obligations relevant to IT service providers, who must avoid any unauthorised access to computer systems not covered by the written authorisation scope in the agreement. Forms-legal.com provides a free IT Services Agreement template for Hong Kong.